Superfish 2.0: Now Dell is Breaking HTTPS

Earlier this year it was revealed that Lenovo was shipping computers preloaded with software called Superfish, which installed its own HTTPS root certificate on affected computers. That in and of itself wouldn't be so bad, except Superfish's certificates all used the same private key. That meant all the affected computers were vulnerable to a “man in the middle” attack in which an attacker could use that private key to eavesdrop on users' encrypted connections to websites, and even impersonate other websites.

Now it appears that Dell has done the same thing [PDF], shipping laptops pre-installed with an HTTPS root certificate issued by Dell, known as eDellRoot. The certificate could allow malicious software or an attacker to impersonate Google, your bank, or any other website. It could also allow an attacker to install malicious code that has a valid signature, bypassing Windows security controls. The security team for the Chrome browser appears to have already revoked the certificate. People can test if their computer is affected by the bogus certificate by following this link.

Ars Technica is reporting that at least two models of Dell laptop have been confirmed to contain the rogue certificate, but the actual number is possibly much higher.

The same certificate appears to be installed in every affected Dell machine, which would enable an attacker to compromise every affected Dell user if only they had the private key which Dell used to create the certificate. Fortunately for attackers (and unfortunately for Dell's customers), Dell included that key on all the affected laptops as well. The result is that anyone with an affected Dell laptop could use it to create a valid HTTPS certificate for any other affected Dell laptop owner. One security researcher made this test site signed with the Dell certificate to prove that this attack was possible. During the test, the researcher confirmed that Firefox, Chrome and Internet Explorer all established an encrypted connection to the site with no warnings at all on an affected Dell laptop. Notably the Dell root certificate was also discovered on at least one SCADA system (the type of computer systems used to control industrial equipment, including in power plants, water treatment centers, and factories).

Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.

The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.

While we applaud Dell for responding to this fiasco so quickly, the fact remains that it never should have happened in the first place. The rogue eDellRoot certificate is dated two months after the Superfish debacle happened. Furthermore, Dell used the Superfish debacle to their advantage, promoting the security of their own products. Since Dell clearly knew that installing a root certificate—à la Superfish—was a bad idea, why did they make the exact same blunder?

We hope that other computer manufactures will learn from this fiasco, if they didn't already learn from Lenovo and Superfish. Hardware manufacturers need to realize that installing their own root certificates on consumer machines is dangerous and irresponsible, since it compromises the security of the entire web. If they don't they're guaranteed to keep facing embarrassment and losing the trust of their customers.

Earlier this month, Let's Encrypt (the free, automated, open Certificate Authority EFF helped launch two years ago) passed a huge milestone: issuing over 50 million active certificates. And that number is just going to keep growing, because in a few weeks Let's Encrypt will also start issuing “wildcard”...

In yet another milestone on the path to encrypting the web, Let’s Encrypt has now issued over 50 million active certificates. Depending on your definition of “website,” this suggests that Let’s Encrypt is protecting between about 23 million and 66 million websites with HTTPS (more on that...

The movement to encrypt the web reached milestone after milestone in 2017. The web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to...

Securely browsing the Internet—even when you know what you’re doing—is tough. That’s partly why, nearly seven years ago, EFF worked together with The Tor Project to develop a privacy tool called HTTPS Everywhere, which automatically provides users with secure, encrypted connections to websites when available.
While HTTPS Everywhere can be...

For years, EFF has commended companies who make cloud applications that encrypt data in transit. But soon, the new gold standard for cloud application encryption will be the cloud provider never having access to the user’s data—not even while performing computations on it. Microsoft has become the first major cloud...

"The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia", said Australian Prime Minister Malcolm Turnbull today. He has been rightly mocked for this nonsense claim, that foreshadows moves to require online messaging providers to provide law enforcement with...

Call your Congressmember now to save online privacy!Back in October of 2016, the Federal Communications Commission passed some pretty awesome rules that would bar your Internet provider from invading your privacy. The rules would keep Internet providers like Comcast and Time Warner Cable from doing things like...

Poisonous political divisions have spawned an encryption arms race across the Trump administration, as both the president’s advisers and career civil servants scramble to cover their digital tracks in a capital nervous about leaks. The surge in the use of scrambled-communication technology — enabled by free smartphone apps such as...

The movement to encrypt the web has reached a milestone. As of earlier this month, approximately half of Internet traffic is now protected by HTTPS. In other words, we are halfway to a web safer from the eavesdropping, content hijacking, cookie stealing, and censorship that HTTPS can protect against...